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(57) Abstract 

The invention concerns authentication 
to be perfbimed in a telecommunications net- 
work, especially in an IP netwoik. To al- 
low a simple and smooth authentication of 
users of IP networks In a geographically 
laT^ area, the IP netwoik's temiinal (TEI) 
uses a subscriber identity module (SIM) as 
used in a separate mobile conununications 
system (MN), whereby a response may be 
determined from the challenge given to the 
identity module as input. The IP network 
also includes a special security server (SS), 
to which a message about a new user is 
transmitted when a subscriber attaches to the 
IP netwoik. The subscriber's authentication 
information containing at least a challenge 
and a response is fetched from the said mo- 
bile communications system to the IP net- 
work and authenticaticm is carried out based 
on the authentication information obtained 
from the mobile communications system by 
uunsmitting the said challenge through the 
IP nctworic to the temiinal, by generating 
a response from the challenge in the ter- 
minars identity module and by comparing 
die response with the response received from 

dte mobile communications system. Such a 

database (DB) may also be used in the sys- 

tem, wherein subscriber-specific authentica- ^ . ^ ^ ^ u u-, 

tion infonnation is stored in advance, whereby die information in question need not be fetched from the mobile communications system 
when a subscriber attaches to the network. 
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SYSTEM AND METHOD FOR AUTHENTICATION IN A MOBILE COMMUNICATIONS SYSTEM 

Field of the invention 

The invention relates to authentication in a telecommunications net- 
5 work, especially in an IP network (IP = Internet Protocol), and also to im- 
provement of the network's data security features with the aid of the perfbnned 
authentication. Authentication means verification of the identity of the party, 
such as the subscriber, who has generated data. Using authentication it is also 
possible to guarantee integrity and confidentiality of the said data. Authentica- 
10 tion may be performed for various purposes, such as for checking the right of 
use of networic services. The invention is intended for use especially in con- 
nection with mobile temiinals, but with the solution according to the invention 
advantages are also achieved in connection with fixed temiinals. 

1 5 Background of the invention 

The strong growth in number of Intemet users has been one of the 
most remaricable phenomena in communications in recent years. The rapid 
growth has also highlighted defects on the Intemet. Oiie of these is the poor 
data security of the networic. The IP protocol version (IPv4) now in general use 

20 does not provide any such means, with which it would be possible to make 
sure that infonnation anived from the opposite end did not change during the 
transfer or that the information did in fact anive from that source, who claims to 
have sent the information in question. In addition, it is easy to use various tools 
in the networi^ for listening in to the traffic. For these reasons, those systems 

25 are very vulnerable which transmit non-encrypted critical infonnation. e.g. 
passwords. 

The new IP version (IPv6) has internal characteristics that allow safe 
communication between Intemet users. Because the transition to the new 
protocol will be slow, the data security features should be such that they are 
30 compatible with tiie present IP version (IPv4), and so that they can be added 
to this. 

Various such systems have been developed to improve the data 
security properties of the Intemet where users can send- the infonnation en- 
crypted to the other party. One such system is ttie Kerijeros, which is a service 
35 with which networi< users and sen/ices can authenticate one another and with 
which users and sen^ices can bring about encrypted connections between 
each other. The Kerberos system is utilised In one embodiment of the present 
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invention which will be described more closely hereinafter. 

Another current trend is the strongly increasing use of various mobile 
temfiinals. Along with this trend it is even more important that the terminals will 
have access to the data network also when being located outside their own 
5 home network. Such an access can essentially improve the usability of e.g. a 
portable computer, when the user is not in his/her usual working environment. 
Points of access may be located e.g. at airports, in railway stations, in shop- 
ping malls or on any other public premises, and the access may be wired or 
wireless. 

10 Systems of the described kind, which can be used for sending en- 

crypted information between parties, are mainly intended for fixed terminals 
and they require that the users are registered in advance as users of the 
service. It is a problem nowadays that for IP networks supporting mobility of 
the terminals there is no such existing and functioning authentication or key 

15 management system that would guarantee good geographical coverage and 
at the same time allow the user easily to have an authenticated and safe 
connection available to himself/herself in an area which is geographically as 
large as possible. 

20 Summary of the invention 

It is a purpose of the invention to eliminate the drawback described 
above and to bring about a solution, with which users of a telecommunteations 
networic, such as an IP networic, can be simply and smoothly authenticated, 
almost Inrespectively of where their network access point is located geographi- 
25 cally at each time. 

This objective is achieved through the solution defined in the inde- 
pendent claims. 

The Invention utilizes the authentication method of an existing mobile 
communicattons networi^, especially the GSM network (Global System for 

30 Mobile Communications), in an IP network (or in any other networic which is 
separate from the mobile communications networic). This means that a user of 
the IP networic in his IP networic tenminal uses the same (or an essentially 
similar) subscriber identification unit (SIM) as in his mobile phone or station. 
The idea is to fetch the subscriber's authentication data firom the mobile com- 

35 munications networic over to the IP network side and to cany out the authenti- 
cation in the IP rietworic based on this data. The mobile networic is not neces- 
sarily a GSM network, but it may be some other mobile communications net- 



- 4 - 



■ 31900127 • ^*Pt»J 



WO00/»2406 PCT/FI99/00S65 



work, wherein authentication is used essentially in the same manner, e.g. a 
DCS network (Digital Cellular System), a GPRS network (General Packet 
Radio Sen/ice. which is a sub-network of the GSM) or a UMTS network 
(Universal Mobile Telecommunicatfons System). 
5 In an advantageous embodiment of the invention, the user is regis- 

tered In response to a successful authentication Into a separate key manage- 
ment system, preferably a Kerberos system, whereby It Is possible then easily 
to bring about an encrypted channel between users communicating with one 
another. This is especially important when at least a part of the transmission 
1 0 path consists of a radio path. 

Owing to the solution according to the invention, users of the IP 
network are easily and smoothly authenttoated and, In addition, the users are 
able to avail themselves of efficient security features in a geographically large 
area. This is due both to the wklespread use of GSM networks and to the fact 
15 that roaming agreements between operators allow authentication of subscrib- 
ers entering a foreign networit. E.g. today (1998) a Finnish GSM operator has 
common traffic agreements with operators working in more than 60 countries. 

Owing to the solution according ,to the invention, ISP (Internet Service 
Provider) operators typically also providing mobile communication services 
20 need not separately procure authentfcatton and key management systems in 
the IP networic, but they may use also for this purpose the features of the 
mobile communications network which they operate. 

With the solution according to the Invention such an advantage is also 
achieved in connection witin fixed terminals, that functions built in connection 
25 with the mobile communications networtt can be utilised In connection witti 
Internet sen^ices. E.g. an organisatfon vw)rking botii as a mobile communica- 
tion operator and as an ISP operator may use charging services built in con- 
nection wfth the mobile communtaations networic for charging for the Internet 
sen/Ices which he provides. When also fixed temninals are authenticated witii 
30 ttie method accoixling to the invention, much certainty is achieved that the bill 
will be directed at the correct subscriber. In addition, ttie subscriber can be 
auttienticated. even if he attaches to the networi< from a foreign temninal. 

A brief description of the drawings 

35 In the following, tiie Invention and its prefen^ embodiments will be 

described more closely referring to the examples shown in Figures 1...10 in the 
appended drawings, wherein 
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Figure 1 illustrates an operating environment of the metiiod in accordance with 
the invention, 

Figure 2 shows an exchange of nnessages between various elementSi when 
5 the terminal attaches to the network or detaches from the network. 

Figure 3 Illustrates the structure of those messages, with which the server of 
the system is told that the user has attached to the network or has 
detached from the network, 
Figure 4 shows an exchange of messages taking place t>etween the various 
10 elements during authentication, 

Figure 5 illustrates the general stmcture of the messages sliown in Figure 5. 
Figure 6 illustrates those elements of the system, which are used for acquiring 

a connection-specific encryption key between two temiinals. 
Figure 7 shows an exchange of messages taking place in order to obtain an 
1 5 initial ticket from the Kerberos server, 

Figure 8 illustrates those parts of a terminal which are essential from the view- 
point of the invention. 
Figure 9 shovys an exchange of messages taking place in order to obtain an 
encryption key for communication between two temninals, and 
20 Figure 10 illustrates an alternative embodiment of the system. 

Detailed description of the invention 

In the following the invention will be described with reference to a 
network environment, wherein mobility of the subscribers is supported with the 

25 aid of a Mobile IP protocol (MIP hereinafter). The MIR is such a version of the 
existing IP, which supports mobility of the terminals. (The MIP principle is 
described e.g. in the RFC 2002. October 1996, or in the article Upkar Varsh- 
ney. Supporting Mobility with \MrelessATM, Internet Watch, January 1997.) 

The MIP is based on the idea that each mobile host or mobile node 

30 has an agent (home agent) allocated for Itself, which relays packets to the 
current location of the mobile node. When the mobile node moves from one 
sub-networi< into another, it registers with the agent (foreign agent) sen/ing the 
concerned sub-networi<. The last-mentioned performs checks with the mobile 
node's home agent, registers the mobile node and sends the registration 

35 Information to it Packets addressed to the mobile node are sent to the mobile 
node's original location (to the home agent), thence they are relayed further to 
the current foreign agent, which will forward them to the mobile node. 
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Figure 1 shows a typical operating environment of the method in 
accordance with the invention. The heart of the system is the security server 
SS. which is connected both to the Internet and to a proxy server HP. which 
has access to a separate mobile network MN. which in this example is a GSM 

5 networic. The proxy server forms a network element, which (in a manner to be 
described later) relays traffic between the security server and the home loca- 
tion registers HLR of mobile communications networics, which home location 
registers HLR are located in the home networics of the subscribers. In practice, 
both the proxy sen/er and the security server are located on the premises of 

10 the network operator, e.g. in the same room, so that even if there is an IP 
connection between the security server and the proxy server, it is a secured 
connection. As the GSM networic is known as such and the invention does not 
require any changes to be made in it. it is not described more cbsely in this 
connection. 

15 Users moving in the area of the system can use portable computers. 

PDA equipment, intelligent phones or other such tenninals. Only one temninal 
TE1 is illustrated by reference mark CLIENT in the figure. For the present 
purposes, client generally means an object using the services provided by the 
network and carried out by the network servers. Client often means a program 

20 which connects with a server on behaif of the network user. 

Two sub-networi^s are shown in the figure and in practice they may be 
e.g. Ethernet local area networi<s. wherein TCP/IP packets are transmitted: the 
user's home networtc HN and the foreign networic FN, to which terminal TE1 is 
assumed to be connected. These sub-networi<s are both connected to the 

25 Internet by way of a gateway GW (a router). The home networic includes the 
home agent HA of the said mobile host and the foreign network conespond- 
ingly includes the foreign agent FA. Accesses to the sub-networtcs take place 
through access points AP. e.g. in a wireless manner, as is shown in the figure. 
The temninals are fonmed by two parts in the same way as the ordi- 

30 nary GSM telephone: of the subscriber device proper, e.g. a portable computer 
(with software) and of the SIM (Subscriber Identity Module), whereby from the 
viewpoint of the networic the subscriber device becomes a functioning temninal 
only when the SIM has been pushed into it. In this case described as an ex- 
ample, the SIM is the subscriber identity module for use in the GSM networic. A 

35 terminal may have access only to the IP networic, or it may be a so-called dual 
mode device, which has access both to the IP networic and to the GSM net- 
work. Th© access to the IP networtc takes place e.g. with the aid of a LAN card 
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in the terminal and to the GSM network with the aid of a GSM card, which in 
practice is a stripped telephone, which is located e.g. in the computer's 
PCMCIA expansion slot. 

In a prefenred embodiment of the invention, there Is also a Kerberos 

5 sender KS In connection with the security server which is known as such and 
which is used for implementing encrypted connections in a manner to be 
described hereinafter. The security server and the Kerberos sen/er may be 
physically in the same machine. 

For the security server to Icnow when the user enters or exits the IP 

10 network, a channel is brought about between the security server and the home 
agent in the manner shown in Figure 2. In accordance with the MIP protocol, 
foreign agent FA continuously sends broadcast messages to Its own sub- 
network, which messages are called by the name of "agent advertisement" 
and which are indicated by the reference mark AA in the figure. When the 

15 temfiinal attaches to the said sub-network, it will receive these messages and 
conclude from them whether it is in its own home network or in some other 
network. If the temninal finds that it is in its home network, it will function with- 
out any mobility services. Otherwise the terminal will get a care-of address in 
the foreign network in question. This address is the address of that point in the 

20 network to whtoh the terminal is temporarily connected. This address at the 
same time fornis the temnination point of the tunnel leading to the said termi- 
nal. Typically, the terminal gets the address e.g. from the above-mentioned 
broadcast messages, which the foreign agent is sending. Thereupon the 
terminal sends a RR (Registration Request) to its own home agent through 

25 foreign agent FA. The message contains, among other things, that careof 
address, which the temninal just received. Based on its received request mes- 
sage, the home agent updates the said temninars location infonmation in its 
database and through the foreign agent it sends a Registration Reply R^Reply 
to the temninal. In the reply message there is all the necessary infomiation 

30 Indicating how (on what conditions) the home agent has accepted the registra- 
tion request. 

All the messages between the temninal. the foreign agent and the 
home agent which were described above are norrrial messages in accordance 
with the MIP protocol. The mobile node may also register directly with the 
35 home agent. The above-mentioned RFC describes the mies. which detemiine 
whether the mobile node will register directly with the home agent or through 
the foreign agent. If the mobile node gets a care-of address in the manner 
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described above, the registration must always be made through the foreign 
agent. According to the MIP protocol, authentication is also performed in 
connection with the registration with the purpose to reduce the occurrence of 
ent)rs in connection with the registration. The registration is based on a check 
5 value calculated from the registration message (from the registration request 
or reply), and the registration must be made only between that mobile node 
and that home agent which have a shared fixed key (which is agreed upon in 
advance). Under these circumstances, the foreign agent is not necessarily 
able to authenticate the mobile node. This problem is aggravated, if as large a 
10 geographical coverage as possible is an objective in the system. 

According to the invention, a facility is added to the home agent to the 
effect that the home agent provides the security server witii infomiation about 
the terminal attached to the networic, after the registration request message 
has amved from the foreign agent. This message is indicated in the figure by 
15 reference mark MOB^ATTACH. Correspondingly, the home agent provides 
the security sen/er with infomiation about the terminal which has left the net- 
wort< after the temiinal has detached from the network (after the terminal has 
detached from the networi< or after the lifetime of the address given to it has 
run out). In the figure, this message is indicated by the reference mark 
20 MOB^DETACH. To each type of message' the security sen/er sends an ac- 
knowledgement message (MOB^CK). As regards their purpose of use. the 
MOB_ATTACH and MOB_DETACH messages correspond to the IMSI at- 
tach/detach procedures used in a GSM network. 

The home agent monitors the replies amving from the security server 
25 and sends the messages again (with the same parameters), should no ac- 
knowledgement message arrive from the security sen/er within a predeter- 
mined time. e.g. 30 seconds. 

Figure 3 illustrates the stmcture of the MOB_ATTACH, 
MOB^DETACH and MOB^ACK messages. In the messages there is a type 
30 field 31. which identifies the type of the message, a number field 32, which 
contains the random number or sequence number identiiying the session, and 
an address field 33. which contains the client's IP address. The last-mentioned 
field is absent from the acknowledgement message. The messages are 
transmitted in fields reserved for the payloads of IP datagrams. 
35 Thus, when the terminal has attached to the networt<, the security 

sen/er receives from the home agent infomiation about the IP address of the 
concerned terminal. Thereupon follows authentication of the client, which will 
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be described in the following with reference to Figure 4, For the authentication, 
the security sen/er first asks the client for the IMSI (International Mobile Sub- 
scriber Identity), which is stored on the SIM (the AUTHJD_REQ message). To 
this the client replies by giving his IMSI (which is a 9-byte identifier in accor- 
5 dance with the GSM specification) in the AUTHJD_RSP reply message. The 
inquiry travels through the home agent to the temnination point of the above- 
mentioned tunnel, but the reply comes directly from the terminal to the security 
server. 

If the client's IP address does not change often, it is preferable to 

10 store in the security server the IMSI identifiers conresponding to the IP ad- 
dresses, whereby identifiers need not be moved around unnecessarily in the 
networic. Thus, the above-mentioned messages are not necessary. 

When the tenminal has stated its IMSI identifier or when the security 
server has fetched it from its database, the security sender starts the actual 

15 authentication. To enable authentication of the terminal's SIM, there must be a 
connection between the security server and the AuC (Authentication Center) 
located in connection with the home location register HLR of the subscriber's 
own GSM networic. This is implemented with a proxy sen/er HP, which func- 
tions as a connecting networl< element between the IP network and the GSM 

20 - networt^, more precisely between the IP networtc and the SS7 signaling net- 
wori^ utilized by the GSM networl<. The GSM network service needed in the 
authentication is MAP_SEND_AUTHENTICATIONJNFO (GSM 9.02, v. 
4.8.0). This sen/ice is implemented by using the proxy server HP. which may 
be located on the premises of the local GSM operator. The security server 

25 transmits to the proxy server a SECJNFO^REQ authentication request mes- 
sage, which contains a session identifier and the IMSI subscriber identifier. 
The proxy sen/er for its part transmits to the authentication centre AuC an 
inquiry message in accordance with the MAP (Mobile Application Part) proto- 
col, which inquiry message is used to request an authentication triplet and 

30 which is nomially transmitted between the VLR and the HLR. In response to 
this inquiry message, the HLR returns to the proxy server a normal authentica- 
tion triplet, which contains a challenge (RAND), a response SRES (Signed 
Response) and a key Kc (the connection-specific encryption key used in the 
GSM network). The proxy sen/er relays the triplet further to the security server 

35 in a SECJNFO^RSP message. The security sen/er stores the triplet and 
transmits the challenge (the AUTH_CHALLENGE3EQ message) further to 
the terminaPs SIM. which based on this message generates a response 
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(SRES) and a key Kc. The terminal stores the key and transmits the response 
(the AUTH_CHALLENGE_RSP message) (SRES) back to the security server. 

In the terminal there is preferably a database, wherein the challenges 
are stored. In this way it is possible to make sure that one challenge will be 
5 used just once. In this manner it is possible to prevent anyone from pretending 
to be a security server by snatching from the network the (non-encrypted) 
challenge and the response and by finding out the key Kc from these. If the 
same challenge occurs once again, no reply will be given to this challenge. 
The security sen/er may also filter out those challenges which have already 
10 been used, and when required it may ask for a new authentication triplet from 
the GSM network, so that no such challenge which has already been used will 
be transmitted to the temntnal. 

The proxy server HP functions in the system as a virtual visitor loca- 
tion register VLR. because at least as regards the authentication triplet inquir- 
15 ' ies it appears from the home register like a networi< element of the same kind 
as the genuine visitor registers of the GSM network. The proxy server also 
functions as a filter allowing access to the GSM system^s signaling network 
only to autiientication triplet inquiries. The proxy server does not either inter- 
fere with any other inquiries from the home register on the GSM networi< side. 
20 Figure 5 illustrates the general structure of the messages presented in 

Figure 4. In the messages there is a type field 51 , which identifies the type of 
the message, a number field 52, which contains the random number or se- 
quence number identifying the session, and a payload field 53, the length of 
which varies depending on which message is at issue. In messages between 
25 the security sen/er and the terminal, the two first fields occur in all messages, 
but there is no payload field in *e AUTHJD^REQ message. In the 
AUTH JD_RSP message the length of the payload field is 9 bytes (the length 
of IMSI is 1+8 bytes), in the AUTH_CHALLENGE_REQ message its length is 
16 bytes (the length of RAND is 16 bytes) and in the 
30 AUTH_CHALLENGE_RSP message its length is 4 bytes (the length of SRES 
is 4 bytes). In the messages between the security sen/er and the proxy server, 
the length of the payload field is 9 bytes (IMSI) in the case of the 
SECJNFO_REQ message and nx28 bytes in the case of the 
SECJNFO^RSP message (in the triplet there is a total of 28 bytes and the 
35 network elements are generally configured so that they will transmit 1...3 
subscriber-specific triplets at a time). As mentioned above, normal GSM net- 
work signaling is used between the proxy server and the home location regis- 
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terHLR. 

The security server compares the response it received from the termi- 
nal with the response anived in the triplet and. If it is found in the comparison 
that the responses are the same, the authentication is successful. 
5 In response to a successful authentication, the security server starts a 

registration with the Kerberos server. In this context the Kerberos server 
means a process, which provides a Kerberos service. The Kerberos server is 
preferably located in connection with the security server, as is shown in Figure 
1. 

10 Kerberos is a system intended for authentication of networic users and 

sen/ices. It is a trusted sen/ice in the sense that its every client trusts that the 
system's assessment of all Its otiier clients is coniect. Since the Kerberos 
system is known as such, and its operation is not changed in any way, it will 
not be described in detail in this context. The system is described e.g. in the 
15 document Steiner, Neuman, Schiller: Kerberos: An Authentication Service for 
Open Networl^ Systems, January 12. 1988, from which the interested reader 
may find background information, if he so desires. In the following description 
the same ways of marking will be used as in the above-mentioned document. 
The description is based on the Keriaeros version 4. 
20 c client, 

s -> server 

c-addr -> client's networi< address 
tgs ticket-granting server 

Kx x's private key 

25 Kvv session key for X and y 

{abc}Kx abc encrypted using x's personal key 
jx.y ^ x*s ticket for using y. 

Figure 6 illustrates the objects of the Kert:)eros and authentication 
applications. It is assumed in the figure that the system has two clients, A and 

30 B. Each client may be a tenninal, which has been authenticated by the security 
sender in the manner described above, when it attached to the IP network, or 
one may be a "permanently" authenticated client, e.g. a sen/er. The Kerberos 
application includes two parts: client program KC. which is located at the 
terminal, and server program KS, which is located at the security sen/er. The 

35 sen/er program also includes a ticket-granting server TGS. Correspondingly, 
the authentication application includes two parts: the client program AC. which 
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is located at the terminal, and the server program AS, which is located at the 
security server. Communication takes place with the aid of IP/MIP/IP-SEC 
stacks, which will be described in greater detail below. 

The following is a description of how the Kerberos protocol is used for 

5 bringing about a connection-specific key between terminals A and B. 

When the security sen/er has found that the authentication was suc- 
cessful, it will start registration of the Kerberos client with the Kerberos server. 
In practice, this happens in such a way that the security server's authentication 
block AS registers the key Kc anived in the authentication triplet (a) as the 

10 client's password and (b) as a password into the service formed for the client's 
IP a^ddrsss or for the IMSI subscriber identifier. The sen^ice is given some 
name which is detennined in advance. 

Then the client may request a tk:ket for the ticket-granting server 
using the key Kc. This exchange of messages is shown in Figure 7. After the 

15 client has received the key Kc, it transmits to the security server (to the Kerbe- 
ros server) a message, with which it requests an initial ticket of the Kerberos 
system. There may be a brief predetemiined delay between the reception of 
the key and the transmission of the messaige, so that the security server will 
have time first to perfbnn the registration with the Kerberos server. After the 

20 delay, the terminal transmits to the security server a request in accordance 
with the Kerit)eros protocol, which always contains the client's identity (the IIVISI 
or IP address) and the name tgs of a certain special service, the ticket-granting 
service. Upon receiving this inquiry the Kerberos sen/er checks whether it 
knows the client. If it does, it will generate a random connection-specific key 

25 Kq ^gs, which will be used later in data transmission between the client and the 
ticket-granting sen/er. Thereupon the KertDeros sen/er generates a ticket 
Tctgs' ^ which the client may use the ticket-granting sen/ice. This ticket 
contains the client's name, the name of the ticket-granting sen/er, the current 
time of day. the lifetime of the ticket, the client's IP address and the connec- 

30 tion-specific key just generated. Using the rtiethods of maricing described 
above, the contents of the ticket can be presented as follows Tc_tgs={c. tgs, 
timestamp, lifetime, c-addr, Kc^tgsl- This ticket is encrypted using key Ktgs. 
which is known only to the ticket-granting sen/er and to the Kerberos server. 
Then the KeriDeros server transmits as a response to the client a packet, which 

35 contains the encrypted ticket and a copy of the connection-specific key K^ ^gg. 
The response is encrypted using tiie client's own key Kc. The terminal stores 
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the ticket and the session key for future use. 

When the terminal has stored the ticket and the session key, it has 
access during the ticket's lifetime to the ticket-granting servk^e and it is pre- 
pared to be in connection with a third party. 

5 Figure 8 illustrates those functional blocks of a terminal, which are 

essential from the viewpoint of the invention. The terminal is in connection with 
the networi< by way of the IP/MIP/IP-SEC protocol stack. IP/MIP/IP-SEC is 
such a known TCP/IP stack, which has built-in mobile IP characteristics and 
encryption functions. Seen from above, this stack appears just like an ordinary 

10 IP stack, but firom below (from the network side) the said stack transmits 
encrypted Information in accordance with a certain security policy. This secu- 
rity policy is detemiined by a separate security policy bkx^k SPB, which con- 
trols the IP/MIP/IP-SEC stack by indicating to the stack the other objects in the 
network to which encrypted information must be sent. These objects are 

15 generally defined in the security policy block with the aid of the temiinars IP 
address and port number. The definition can be made even finer by also 
defining those user identifiers, for which the encryption is done. In practice, the 
security policy block is built into the IP/MIP/IP-SEC stack, but in a functional 
sense it is a block in its own right. 

20 In addition to the security policy block, the terminal contains a key 

management block KM, which attends to management of keys. In connection 
with the key management block there is a database containing all the encryp- 
tion keys used by the terminal. The key management block can be imple- 
mented e.g. with the aid of the known PF_KEY API (API=Application Pro- 

25 gramming Interface). PF_KEY is a generic application programming interface, 
which may be used not only for IP layer security services, but also for other 
security services of the networic. This API detennines the socket protocol 
family, which the key management applications use to communicate with parts 
of tiie operating system relating to the key management. Since the invention is 

30 not related to the known PF_KEY protocol, it will not be described more closely 
in this context. The protocol is described in the document McDonald, Metz, 
Phan: PF_KEY Management API, version 2, 21 April, 1997, where the inter- 
ested reader will find background iiifbrmation. 

In the key management block KM ttiere are specific definitions for 

35 how and with whidi key the encryption is earned out to each networi< address. 
This definition may be made e.g. so that for each individual IP address and 
port that protocol and that key are stated which must be used when in connec- 
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tion with the port in question. 

When a packet which is to be transmitted outwards arrives in the 
IP/MIP/IP-SEC stack, the stack reads the packets destination address and 
asks the security policy block SPB which is the encryption policy as regards a 

5 packet carrying the address in question. In response, the security policy block 
tells the IP/MIP/IP-SEC stack whether encryption is to be made, and if so, with 
which method the encryption is to be canied out. This information is relayed to 
the key management block KM. 

In the Initial stage, the user has detemnlned those connections for the 

10 security policy bbck, on which encryptton must be used. If the security policy 
block states that encryption must be used and if the key management block 
finds that there is as yet no key for the temninal with which a connection is 
desired, the key management block will send a key request to the Kerberos 
client KC. who will request a server ticket for the concerned terminal from the 

15 security server's ticket-granting service. This signalling is illustrated in Figure 9. 
The tenninal (the Kerberos client) sends to the ticket-granting sen/er such a 
request in accordance with the Kerberos protocol, which contains the name (s, 
e.g. terminal B) of that server, for which the ticket is desired, a ticket T^^^g^ 
encrypted with the ticket granting seryefs own key Ktgs for access to the 

20 ticket-granting service and an authenticator Ac, which Is encrypted with a 
connection-specific key K^ tgs- The authenticator is a data structure, which 
contains the clienfs name and IP address as well as the cunent time. Ob- 
sen/ing the used method of marking Ac = {c, c-addr. timestamp}. 

The ticket-granting server checks the authenticator's infomnation and 

25 the ticket T^ ^g^. If the ticket is all right, the ticket-granting sen/er generates a 
new random session key K^^s* ^l^'^*^ '^^V together with a third 

party of his choice. Then the ticket-granting sen/er fonms a new ticket T^^s 
the said third party, encrypts the ticket using the said third party's own key Kg. 
which is the same as the concerned subscriber's key Kc described above, and 

30 transmits the encrypted key together with the session key to the tenminal. The 
entire reply is encrypted using key K^^gs- 

Upon receiving the reply message, the tenminat unpacks the packet, 
transmits the first part {Tc,s)Ks to the third party (to tenninal B) and stores the 
new session key K^^s *® "^^V database. The tenninal of the third party gets 

35 the recently generated session key K^. ^ from the ticket by first decrypting the 
ticket with its own key Kc. Thereafter the new session key is available to both 
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terminals and encrypted data transmission may begin. 

When the Kerberos client has started his activity (when the client is 
registered vwth the Kerberos server), it must inform the IP/MIP/IP-SEC layer 
that it is able to serve session key requests. By using the PF_KEY protocol. 
5 this is done in such a way that the Kerberos client opens a special socket 
address into the kernel of the operating system and registers with the kemel 
with a SADB_REGISTER message. Then the PF_KEY protocol sends a 
SADB_ACQUIRE message each time when the key is needed for some out- 
bound interface. When receiving this message, the Kerberos client will act in 

10 the manner described above, that is, he sends a request to the ticket-granting 
server, of the received response it sends the part intended for the other party 
to the opposite end of the connection and relays the received sesston key to 
the key management block. In addition, the Kerberos client listens to a certain 
socket address in order to notice any tickets that may an-ive from other objects 

15 in the network. Having received such a ticket packet, it acknowledges recep- 
tion of the packet, unpacks the packet and relays the necessary keys to the 
key management system, whereby these keys can be used when connections 
exist with the concerned peer. 

When the terminal detaches from the network (message 

20 MOB_DETACH), the security server will remove both registrations from the 
Kerberos server. 

In practice, the terminal and the security server must have certain port 
numbers open for non-encrypted data transmission. Such ports are the port, 
through which authentication messages are transmitted between the terminal 

25 and the server (Figure 4). the port, through which tickets are transfened to the 
Kerberos clients, and the port, through which ticket requests are transferred. 

The authentication triplet can be sought in various ways. In a small- 
scale embodiment It is possible to use a virtual "HLR database", wherein a 
suitable nurnber of authentication triplets is stored in advance. E.g. 10000 

30 triplets from each user would require 280 kilobytes of memory per user. Thus, 
. e.g. a 6 GB disk could accommodate authentication triplets for more than 
21000 users. The authentication triplets may be loaded in advance when the 
user gets the service, by leaving the SIM module for a few hours in a smart 
card reader, which supplies the challenges to the module. The authentication 

35 triplets formed of the obtained responses are stored in the database using the 
module's infomiation. This method also works with all SIM modules, in^espec- 
tive of the operators. The database may be located e.g. in connection with the 
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security server. Thus, it is not necessary to seek the authentication triplet(s) 
from the mobile communications network, but subscriber-specific authentica- 
tion triplets can be stored in advance in a database OB located in connection 
with the security server (compare with Figure 1). This means that proxy serv- 

5 ers are not necessarily needed at all. For some subscribers there may also be 
ready-made authentication triplets in the database and for some they may be 
fetched in real time from the mobile communications system. Authentication 
triplets can also be fetched in advance from the mobile communications sys- 
tem and placed in the database. 

10 in principle, it is also possible to copy each user's SIM module and 

use the copy in connection with the security sen/er for authentication of the 
user (whereby no inquiry is made from the mobile communications network). 

These two methods described above make it possible for the used 
S\M modules to be modules dedicated solely for this purpose, and they do not 

15 necessarily relate to the mobile communications network's subscriber. 

The necessary authentication data can also be obtained from the 
GSM networic e.g. from the connection between the MSG (Mobile Switching 
Centre) and the BSC (Base Statfon Controller). Thus, the proxy server need 
not necessarily emulate the visitor tocafon register VLR, as was presented 

20 above, but it may also function as a network element of the same kind as the 
GSM network's base statbn controller. Such an altemative is illustrated in 
Figure 10. where the said networic element is mariced with the reference mark 
BP. In this case* the proxy server is thus a virtual base station controller, which 
is connected to the MSC (Mobile Switching Centre) in the same way as the 

25 GSM networi^'s normal BSCs (Base Station Controllers). Looking from the 
mobile switching centre, the proxy sen/er looks like an ordinary base station 
controller at least as regards the signalling relating to authentication. 

However, it is a problem in this second alternative that it requires 
considerably more complex signalling between the proxy server and the GSM 

30 network than the first altemative (Figure 1). Besides, in consequence of the 
authentication of the second altemative. the user will in the GSM system move 
into the area of the proxy sen/er BP emulating a base station controller, but 
this is not a real base statiori controller in the. sense that it would be able also 
to switch calls. Thus, this solution can be used only in connection with data 

35 sen/ices, and the temiinal can not be the kind of dual mode equipment as 
mentioned above. 

Although the invention was described in the foregoing with reference 
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to a MIP enabled network, the solution according to the invention is not bound 
to tills protocol. If the protocol to be used is IPv6, then there are no proper 
agents in the network. Hereby the information about when the user is in the 
network must be sought frorri the routing tables of the router in the user's 
5 home network. In practice, this means that the network must include a sepa- 
rate "locating agent", which by monitoring or "pinging" the router will notice that 
the user has entered the network and in consequence of this will start authen- 
tication by sending to the security server a message (MOB_ATTACH) about 
the new user. It is probable, however, that router manu^cturers are designing 

1 0 a protocol from which it emerges when the user is in the network. 

Although the invention was described above with reference to the 
examples shown in the appended drawings, it is obvious that the invention is 
not limited to these, but it may be modified within the inventive idea presented 
in the appended claims. Authentication need not necessarily be perfonmed in 

15 order to set up an encrypted connection between users, but as a result of a 
successful authentication one may perfomn e.g. registration with a mail server 
before transmitting e-mail messages to the user's machine. In this way a more 
reliable authentication is achieved than by the present methods based on 
passwords, in addition, in connection with the access points there may be 

20 local senders, which function as proxy servers for the security server proper, or 
the system may include more than one security server. Instead of the Kerbe- 
ros system it is also possible to use e.g. public key management, which is 
based on a x.500-database and on x.509 certificates. 
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Claims 

1. Authentication method for telecommunications networks, especially 
for IP networks, in accordance with which method the identity of a subscriber 
attached to the network is authenticated, 

5 characterized by 

- in a network terminal (TE1). using a subscriber identity module (SIM) 
essentially of the same kind as in a known mobile communications system 
(MN), which identity module is such that a response is obtained as a result of a 
challenge given to it as input, 

10 - using a special security sen/er (SS) in the network so that when a 

temriinal attaches to the network, a message of a new user is transmitted to 
the security sen/er. 

- fetching subscriber authentication information corresponding to the 
said new user from the said mobile communicattons system to the said net- 

15 work, which authentteation infomnation contains at least a challenge and a 
response, and 

- performing the authentication based on the authenttcatton informa- 
tion obtained from the mobile communteations system by transmitting the said 
challenge to the terminal through the network, by generating a response from 

20 the challenge in the identity module of the temriinal and by comparing the 
response with the response received from the mobile communications system. 

2. Method as defined in claim 1. characterized in that fetching 
of the subscriber's authentication infomnation from the mobile communications 
system is started from the security sen/er (SS) in response to the said mes- 

25 sage. 

3. Method as defined in claim 1, characterized in that in 
response to a successful authentication, registration of the subscriber is per- 
fomied as a client of a separate key management system. 

4. Method as defined in claim 3 for IP networi<s, characterized 
30 in that the known Kerberos system is used as the key management system. 

5. Method as defined in claim 4, characterized in that the 
subscriber-specific authentication Information obtained from the mobile com- 
munications system also Includes a key (Kc). whereby the subscriber is regis- 
tered as a client of the Kerberos system so that the key is registered (a) as the 

35 client's password and (b) as a password for a sen/ice formed for the client's IP 
address or for a subscriber identity (IMSI) used in the mobile communications 
system. 
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6. Method as defined in claim 1, characterized in that the 
subscriber's authentication infoonation is fetched with the aid of a separate 
proxy server (HP), which functions as a network element emulating the visitor 
location register VLR of the mobile communications system and which re- 

5 quests the authentication infonmatlon from an authentication centre AuC lo- 
cated in connection with the subscriber's home location register HLR in the 
same way as the mobile communications system's own visitor location regis- 
ter. 

7. Method as defined in claim 1, characterized in that the 
10 subscriber's authentication infomiation is fetched with the aid of a separate 

prox^ server (BP), which functions as a network element emulating the mobile 
communications system's base station controller and which is In connection 
with the mobile communications system*s rmbWe switching centre (MSC) for 
fetching the authentication infomiation from an authentication centre AuC 
15 located in connection with the subscriber's home location register HLR in the 
same way as the authentication information is fetched to the mobile communi- 
cations system's own base station controller. 

8. Authenticatton system for telecommunications networks, especially 
for IP networks, which system includes authentication means for authenticat- 

20 ing the identity of a subscriber who has attached to the network, 

characterized in that the authentication means include 

- a subscriber identity module (SIM) connected to the network's termi- 
nal (TE1), the module being essentially similar to the subscriber identity mod- 
ule used in a separate mobile communications system (MN). whereby a re- 

25 sponse can be determined from a challenge given to the identity module as 
input, 

- messaging means (HA) for sending a message when a tenninal 
attaches to the network, 

- a special security server (SS) for receiving the said message. 

30 - means for requesting authentication infonnatlon corresponding to a 

subscriber from the said mobile communications system (MN). which infomna- 

tion contains at least a challenge and a response, and 

• on the skie of the said network, data transmission and checking 

means for transmitting the challenge through the network to the identity mod- 
35 ule, for returning the response from the temiinal to the network and for conv- 

paring the received response wifli the response received from the mobile 

communicattons system. 
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9. System as defined in claim 8. characterized in that the said 
identity module is the subscriber identity module (SIM) used in the GSM net- 
woilc 

10. System as defined In claim 8, characterized In that the 
5 messaging means are adapted into a home agent (HA) in accordance with the 

mobile IP network. 

11. System as defined in claim 8. characterized in that the 
means for requesting authentication information include the said security 
sen/er and a proxy sender (HP, BP), which is connected to the GSM network, 

10 12. System as defined in claim 11. characterized in that the 

proxy sender functions as a network element emulating the visitor location 
register VLR of the GSM network. 

13. System as defined in claim 11, characterized in that the 
proxy server functions as a network element emulating the base station con- 

1 5 trailer BSC of the GSM network. 

14, System as defined in claim 11, characterized in that the 
system further Includes a Kerberos server (KS) which is known as such and as 
the user of which the subscriber will be registered as a result of a successful 
authentication. 

20 15. Authentication method for telecommunications networics. espe- 

cially for IP networks, in accordance with which method the identity of a sub- 
scriber attached to the networic is authenticated, 
characterized by 

- in a networi< terminal (TE1). using a subscriber Identity module (SIM) 
25 essentially similar to the one used in a known mobile communications system 

(MN), which Identity rrodule is such that a response Is obtained as a result of a 
challenge given to It as input, 

- storing subscriber-specific authentication infomnation in a database 
(DB), the information being in that way essentially similar to the infonnation 

30 used for authentication in the said mobile communications system that it con- 
tains at least a challenge and a response, 

• using a special security server (SS) in the network so that when a 
temilnal attaches to the networi^. a message about the new user is transmitted 
to the security server. 

35 . in response to the message, retrieving authentication infonnation of 

the subscriber corresponding to the new user from the said database (DB), 
and 
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- performing authentication based on the authentication infomfiation 
obtained from the database by transmitting the said challenge through the 
network to the temiinal. by generating a response from the challenge in the 
identity module of the tenfninal and by comparing the response with the re- 

5 sponse obtained from the database. 

16. Method as defined in claim 15. characterized in that the 
database is stored in connection with the security sers^er. 

17. Method as defined in claim 15, characterized in that in 
response to a successful authentication, registration of the subscriber is per- 

1 0 fomned as the user of a separate key management system. 

18. Method as defined in claim 17, characterized in that the 
known Kerberos system is used as the key management system. 

19. Authentication system for telecommunications networks, espe- 
cially for IP networks, which system includes auttentication means for authen- 

15 tication of the identity of a subscriber attached to the networic. 

characterized in that the authentication means include 

- a subscriber identity module (SIM), which is connected to a network 
terminal (TE1) and which is essentially similar to the subscriber identity module 
used in a separate mobile communicattons system (MN), whereby a response 

20 can be detenmined from the challenge given as input to the identity module, 

- messaging means (HA) for sending a message when a terminal 
attaches to the networic, 

- a special security server (SS) for receiving the said message, 

- database means (SS, DB), which Include a database (DB), wherein 
25 subscriber-specific authentication infonnation is stored, which is in such a way 

essentially similar to the infonmation used for authentication in the said mobile 
communications system that it includes at least a challenge and a response, 
and retrieval means (SS) for retrieving subscriber-specific authentication 
infomiation from the said database in response to the message, 
30 - on the side of the said networi<, data transmission and checking 

means for transmitting the said challenge through the networi< to the identity 
module, for returning the response from the temninai to the networic and for 
comparing the received response with tiie response received from tiie data- 
base. 

35 20. System as defined in claim 19. characterized in that the 

said identity module is a subscriber identity module (SIM) used in the GSM 
networic. 
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21 . System as defined in claim 19, characterized in that the 
messaging means are adapted into a home agent (HA) in accordance with the 
mobile IP network. 

22. System as defined in claim 19, c h a r a c t e r i z e d in that the 
5 system further includes a Kerberos server (KS). which is i<nown as such and 

as the client of which the subscriber is registered as the result of a successful 
authentication. 
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